|Breach of act
||Breach of the Seventh Data Protection Principle: the bank failed to provide adequate training or to find a more secure means for the transmission of personal information.
|Known or should have known
||The bank was aware that there were risks associated with sending information by fax as it had procedures in place to regulate this and instituted some training on the discovery of the first breach. However, the continuation of these breaches is testimony to the inefficacy of the taken measures.
|Likely to cause damage or distress
||The disclosure of personal information of the data subjects is likely to cause them substantial distress, particularly when this information was supposed to be dealt with in confidence. It also carries the risk that the information could be further disseminated and misused, potentially leading to identity fraud and possible financial loss.